FWIW, Zen Cart includes a .htaccess file in 'admin/includes' that
prevents remote access to any PHP files in that directory:
theall at lab:/var/www/localhost/htdocs/zencart>cat admin/
includes/.htaccess
# $Id: .htaccess 2996 2006-02-09 00:42:17Z drbyte $
#
# This is used with Apache WebServers
# The following blocks direct HTTP requests in this directory
recursively
#
# This does not affect PHP include/require functions
#
# Example: direct access to http://server/admin/includes/application_top.php
will not work with the following installed
<Files *.php>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>
This file is included in 1.3.8, which CraCkEr reports as affected as
well as 1.3.7 and 1.3.8a, which is current.
As a result, the local file include issues by milw0rm 6038 / BID 30179
aren't likely to be exploitable in practice -- not only would you need
to have register_globals enabled as the advisory notes, but the target
would need to be running a web server that doesn't grok .htaccess
files or ignores them.
George
--
theall at tenablesecurity.com